Cybercriminals are targeting SAP business applications by using a security defect that the global enterprise application company patched in 2010, according to the US Computer Emergency Readiness Team (US-CERT). The news should serve as a wake-up call for businesses that have been slack in updating their SAP software.
That’s because the vulnerability can enable cybercriminals to remotely control business operations and processes—and access other applications and data from within the SAP environment. US-CERT said at least 36 organizations worldwide have been affected by the SAP defect since 2013.
Given the massive trove of critical data stored on SAP applications—the company says its customers comprise 87% of the Forbes Global 2000 Companies—the financial impact of data loss is potentially enormous. What’s more, attackers could use the vulnerability to shut down essential business and manufacturing services, possibly incurring a world of financial, operational and reputational damages.
Click here for a full discussion on the SAP defect.
Separate, but insecure, systems
So why do businesses remain vulnerable to a flaw that was patched years ago? In a word, complexity. The intricate demands of SAP applications mean that security is typically managed by application specialists rather than enterprise security teams. As a result, SAP security maintenance is siloed and the enterprise cybersecurity team often lacks visibility into the SAP environment.
Complicating matters is the fact that administrators typically manage SAP software as an internal system and tend to focus on application-specific controls. In doing so, they may fail to properly implement processes and technologies to help guard against external Internet-facing attacks that the vulnerability makes possible.
Patching, in particular, is a significant challenge. SAP applications often comprise a complex network of interconnected applications and it may be difficult to determine what patches are critical and what additional configurations will be required.
Take action to protect your business
While no specific breach has yet been linked to the defect, it ultimately may be more instructive than destructive. How so? The vulnerability provides a timely opportunity for businesses to start a discussion about integrating SAP security with enterprise cybersecurity practices.
Doing so will require a risk-based approach that is aligned with overall cybersecurity strategy, processes and people skills. Also necessary will be a full quantification of the potential operational impact and financial costs of these risks.
For most businesses, checking for exposure to the SAP vulnerability likely will be a relatively straightforward undertaking. (Here’s how.) Determining whether your business has been hacked as a result of the defect, however, will require cybersecurity expertise and advanced threat-detection and incident-response capabilities. That can be a complex initiative, so now is a good time to start a discussion about SAP security with your executive and cybersecurity teams.